A recently disclosed critical security flaw impacting nginx-ui, an open-source, web-based Nginx management tool, has come under active exploitation in the wild.
The vulnerability in question is CVE-2026-33032 (CVSS score: 9.8), an authentication bypass vulnerability that enables threat actors to seize control of the Nginx service. It has been codenamed MCPwn by Pluto Security.
“The nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message,” according to an advisory released by nginx-ui maintainers last month. “While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting — and the default IP whitelist is empty, which the middleware treats as ‘allow all.'”
“This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads – achieving complete nginx service takeover.”
According to Pluto Security researcher Yotam Perkal, who identified and reported the flaw, the attack can facilitate a full takeover in seconds via two requests –
- An HTTP GET request to the /mcp endpoint to establish a session and obtain a session ID.
- An HTTP POST request to the /mcp_message endpoint using the session ID to invoke any MCP tool sans authentication
The session establishment step requires authentication, but an attacker can pull it off by exploiting a separate vulnerability in nginx-ui versions prior to 2.3.3 (CVE-2026-27944, CVSS score: 9.8), which exposes the encryption keys required to decrypt backups without authentication via the “/api/backup” endpoint.
An unauthenticated attacker could weaponize this issue to download a full system backup and extract sensitive data, including user credentials, SSL private keys, Nginx configurations, and a query parameter called “node_secret” that’s used to authenticate the MCP interface. This “node_secret” value can be passed to the HTTP GET request to receive the session ID, which is then used to issue commands through “/mcp_message” without further authentication.
In other words, attackers can exploit this vulnerability by sending specially crafted HTTP requests directly to the “/mcp_message” endpoint without any authentication headers or tokens.
Successful exploitation of the flaw could enable them to invoke MCP tools and modify Nginx configuration files and reload the server. Furthermore, an attacker could exploit this loophole to intercept all traffic and harvest administrator credentials.
Following responsible disclosure, the vulnerability was addressed in version 2.3.4, released on March 15, 2026. As workarounds, users are advised to add “middleware.AuthRequired()” to the “/mcp_message” endpoint to force authentication. Alternatively, it’s advised to change the IP allowlisting default behavior from “allow-all” to “deny-all.”
The disclosure comes as Recorded Future, in a report published this week, listed CVE-2026-33032 as one of the 31 vulnerabilities that have been actively exploited by threat actors in March 2026. There are currently no insights on the exploitation activity associated with the security flaw.
“When you bolt MCP onto an existing application, the MCP endpoints inherit the application’s full capabilities but not necessarily its security controls. The result is a backdoor that bypasses every authentication mechanism the application was carefully built with,” Perkal said.
Data from Shodan shows that there are about 2,689 exposed instances on the internet, with most of them located in China, the U.S., Indonesia, Germany, and Hong Kong.
“Given the approximately 2,600 publicly reachable nginx-ui instances our researchers identified, the risk to unpatched deployments is immediate and real,” Pluto told The Hacker News. “Organizations running nginx-ui should treat this as an emergency: update to version 2.3.4 immediately, or disable MCP functionality and restrict network access as an interim measure.”
News of CVE-2026-33032 follows the discovery of two security flaws in the Atlassian MCP server (“mcp-atlassian”) that could be chained to achieve remote code execution. The flaws – tracked as CVE-2026-27825 (CVSS 9.1) and CVE-2026-27826 (CVSS 8.2) and dubbed MCPwnfluence – enable any attacker on the same local network to run arbitrary code on a vulnerable machine without requiring any authentication.
“When chaining both vulnerabilities — we are able to send requests to the MCP from the LAN [local area network], redirect the server to the attacker machine, upload an attachment, and then receive a full unauthenticated RCE from the LAN,” Pluto Security said.
About The Author
Original post here
